Funny, I always use the binaries distributed by the developers whenever I can thinking that the less intermediaries the better. Maybe I need to revise that position.

Malicious distro packagers are virtually unheard of, and another set of eyes on the software is generally better. For instance, if the developer sells out the packager can save your bacon. This is especially true on Android where selling out is more common (see: the Simple Apps situation and F-Droid) but also a valid consideration on desktop Linux.

I wouldn't assume anything about distro packages really. It's a higher bar in some systems (like Debian), lower in some (like nixpkgs), but the time investment to be in a position to sabotage something is quite low overall and requires little skill. Then there are not-distro packages that they easily abused over time. For example sourceforge was a respected distributor of software for a long time and they moved to adware installers.

I stick to official distro packages from distros I like, mainly Debian and OpenSUSE. Community packages are too sketchy for me, and I consider downloading packages from sourceforge/etc to be a Windowism. And while it's possible for a malicious entity to infiltrate the ranks of distro packagers, I think the threat of the developer selling out has proven to be more likely.

That's... quite a Windows mindset.